Identifies your risks, prevent security breaches, and make a response plan just in case.
Both FINRA and the SEC have indicated that they expect advisors to have a written policy to address information security, particularly cybersecurity. Follow these three steps to create a policy that identifies your risks, prevents security breaches, and creates a response plan in case something does happen.
1. Conduct a Security Audit
The logical first step is to conduct an audit of your current security practices and identify the security risks that exist. Start with your front door. Are your offices locked securely when closed? Identify everyone who has keys--including landlords, cleaning crew, employees, and IT consultants. Do you change locks when employees leave the firm? Could someone enter by just breaking a window? Do employees lock up all client data when not in use?
Next, inventory all hardware. Are all servers encrypted and kept locked securely? Do all your computers have up-to-date virus and malware protection? Are you using an encryption program on all desktops and laptops? Are your modems, routers, and switches secure, and do they have up-to-date firmware installed?
Review all allowed access to your client data stored internally and externally. Determine who has access to what data. Do they need that access? Identify all web-based vendors where your client data exists, such as custodians, financial-planning sites, cloud-based portfolio management, or CRM systems. What are their cybersecurity precautions? Do they allow for a two-step authentication process, such as a randomly generated code from a key fob or sent by text to a cell phone? Do they require routine password resets or have personal security questions as a second layer of protection? Is login information blocked immediately when an employee leaves? Do you have a written data-destruction policy for both paper files and electronic media?
If you allow employees to access work email on their smartphones, laptops, or tablets, are they password protected? Can they be remotely wiped if lost or stolen? Do you allow employees to access data when working remotely? Do you require an encrypted connection such as VPN? Do you require employees to use a password manager program to securely sync passwords across all their devices? Do you have a strict password protocol or require randomly generated passwords?
How are client documents protected? Are you using a secure filesharing service or an encrypted client portal, or do you allow documents to be sent by email without encryption? Do you hold regular employee training on cyber risks and responsibilities, especially regarding mobile devices and removable media? If employees have account applications or other client documents with them out of the office, what efforts must they make to keep them secure?
Do clients have online access to their accounts? Can they effect trades or other money movement online? How do your employees verify clients' identities when money movement requests are received via email? By phone? Have there been any incidents of security breach in the past?
Depending upon how you do business, there may be many more areas to examine. For instance, if you use an outside IT vendor, involve them in the audit.
2. Draft a Written Information Security Policy
Once you have completed your audit, document what you examined, what you found, and your plan to remedy any weaknesses. Also document how you plan to test and monitor your plan afterward. This will become the baseline for your Information Security Policy and should be reviewed and updated each year as part of your overall annual compliance review. Document all employee training activities and their content.
3. Draft an Information Security Incident Response
Determine what is to be done in the event of a security breach. At the very least, any incident should be documented to include the nature of the incident, who and what equipment were involved, how the incident was detected, and what was the response of the firm. Also document the steps you will take to prevent a similar incident in the future. Identify who in the firm is responsible for the firm's response.
If clients' personal, non-public information was compromised, do you have a cybercrime insurance policy to help with the costs of notifying clients? Will it cover credit monitoring services for a year or two? Will it cover credit repair services? If a firm employee or ex-employee was involved, will the firm have coverage for any financial liability to clients?
Our online activity increases daily, and so does our exposure to the risk of unauthorized access to personal data. You will sleep better having addressed these issues. Your clients will appreciate your concern and efforts to protect their information. Your regulators are demanding it of you.